A security flaw has been uncovered in the major internet utility Cloudflare, which millions of web businesses depend on. “The bug was serious because the leaked memory could contain private information and because it had been cached by search engines,” Cloudflare’s response team said on Thursday.
A list of 4,287,625 possibly affected domains includes many in the bitcoin space. The data shared includes “passwords, private messages, API keys, and other sensitive data,” although such data could not be targeted, and fell in the hands of “random requesters.” While the earliest date memory could have leaked is September 2016, Cloudflare has had no reports that outside parties had identified the issue or exploited it.
- Cloudflare response team
The bug was discovered by Google vulnerability researcher Tavis Ormandy on Friday, who notified CloudFlare about the leak immediately. Within 47 minutes, CloudFlare reported the leak as plugged, and the underlying issues were corrected within 7 hours.
Self-described cypherpunk and former CloudFlare employee Ryan Lackey subsequently wrote up an in-depth ‘how to deal with it’ article, approved by Ormandy. Lackey provides system administrators with advice on handling the problem, and advised all CloudFlare users about what to look for.
“The most sensitive information leaked is authentication information and credentials,” Lackey explains. “A compromise of this data can have lasting and ongoing consequences until credentials are revoked and replaced.”
CloudFlare is one of the most popular content delivery networks, and used by all kinds of websites to lower bandwidth costs and protect against DDoS attacks. In the bitcoin service community specifically, major exchanges and utilities are on the list, including Coinbase, Blockchain.info, BTC-E, Bitpay, Localbitcoins, Glidera, Poloniex, BitcoinCharts, and Kraken.
Other major websites that Bitcoin users may visit on the list include Authy, Uber, Yelp, Medium, Upwork, Fiverr, Taringa!, Zoho, Pastebin, DigitalOcean, Namecheap, Glassdoor, Prosper, TorrentFreak, OKCupid, Zendesk, FitBit, oDesk, Pingdom, Techdirt, Statcounter, Typepad, Udemy, TechinAsia, Producthunt, and 4Chan, to name a few.
The users of these services are advised to change passwords and reset any two-factor authentication. “While Cloudflare’s service was rapidly patched to eliminate this bug, data was leaking constantly before this point — for months,” states Lackey. “Some of this data was cached publicly in search engines such as Google, and is being removed.”
Bitpay was among the first in the bitcoin community to publically respond to the leak. “We believe that it would not be possible for a BitPay user’s password to have been exposed by this bug,” the company states, while recommending that users, “take the time to reset your password.”
Coinbase issued a statement several hours later. The company discovered a single instance of a leaked Coinbase session cookie, which they immediately invalidated. “We have no reason to believe that any Coinbase customer’s personal data or account has been compromised.” Users are advised to logout of any mobile apps and log back in to clear that session cookie. They also advised businesses using their API to get a new key.
The reclusive Russian exchange BTC-ealso advised changing their API keys, and for safety gave their users until Sunday the 26th to change their login credentials. If not changed by then, users will be logged out of the exchange and be forced to change them before logging back in.
Kraken and Glidera both sent out an email to their users recommending a password and two-factor authentication update. Canadian bitcoin exchange QuadrigaCX posted similar instructions on the bitcoin Reddit forum.
- Bitpay
A similar wide-scale vulnerability affected the world in April 2014. The “Heartbleed” bug, which Cloudbleed is named after, was a weakness in site security encryption. The bug also leaked small chunks of private data from computer memory, but did so when websites used OpenSSL, a very common way for business websites and even banks to protect against hackers and theft. The fix for Heartbleed was more difficult than Cloudbleed, wherein websites had to upgrade to a new version of OpenSSL.
Bitcoin was also susceptible to the bug, and developers addressed the issue in Bitcoin Core version 0.9.1. Exchanges were the most vulnerable, but after the developers issued the patch, the major exchanges had all upgraded in a matter of hours. Cloudbleed, on the other hand, requires all users to take action in order to stay safe.
